Analysis
-
max time kernel
114s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 13:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e4b61ee08d50aebb3cfe0a03e6559e80N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e4b61ee08d50aebb3cfe0a03e6559e80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e4b61ee08d50aebb3cfe0a03e6559e80N.exe
-
Size
386KB
-
MD5
e4b61ee08d50aebb3cfe0a03e6559e80
-
SHA1
eb5d95cf51f18330c0779cda3875d38b27ca6b32
-
SHA256
1d3ceeb96ddcc73771fd0c2d4ab96fcc93e47121e42090fa8b7d2b48a9b0476d
-
SHA512
df023da411a5ae290a7d840e449da32377fadcaef2076352029b298cae8b56aae92ef13b1ff89073206038f21982e772c1097539688ba29438a66734592d9d04
-
SSDEEP
12288:rg32wQZ7287xmPFRkfJg9qwQZ7287xmP:032ZZ/aFKm9qZZ/a
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajndh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfnkqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcblan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgmfgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paaddgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gajqbakc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhjjgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edlhqlfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgffe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmnopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imodkadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbpqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdeaelok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhhhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnnfdn.exe -
Executes dropped EXE 64 IoCs
pid Process 3052 Fncpef32.exe 2280 Fnflke32.exe 2760 Fogibnha.exe 2772 Fhomkcoa.exe 2924 Gfejjgli.exe 1900 Gdhkfd32.exe 1736 Gqahqd32.exe 2192 Gkglnm32.exe 1476 Gneijien.exe 1892 Hcgjmo32.exe 1440 Hcigco32.exe 1972 Hlgimqhf.exe 2448 Iliebpfc.exe 2184 Iakgefqe.exe 584 Iefcfe32.exe 1068 Jliaac32.exe 2064 Jdpjba32.exe 1544 Jfofol32.exe 612 Jhdlad32.exe 2296 Jkchmo32.exe 772 Jampjian.exe 2116 Jehlkhig.exe 2316 Khghgchk.exe 2056 Kjmnjkjd.exe 1484 Kadfkhkf.exe 2884 Kcecbq32.exe 2904 Kpicle32.exe 2052 Llbqfe32.exe 2532 Lboiol32.exe 2684 Ljfapjbi.exe 1800 Lhiakf32.exe 1224 Lkgngb32.exe 1408 Lgqkbb32.exe 2844 Lohccp32.exe 2012 Lqipkhbj.exe 2708 Mgedmb32.exe 2216 Mfokinhf.exe 1648 Mmicfh32.exe 2964 Mpgobc32.exe 1276 Mcckcbgp.exe 288 Nedhjj32.exe 1444 Nipdkieg.exe 1604 Npjlhcmd.exe 1556 Nnmlcp32.exe 2288 Nfdddm32.exe 688 Nefdpjkl.exe 2252 Ngealejo.exe 2424 Nnoiio32.exe 2748 Nlcibc32.exe 2656 Njfjnpgp.exe 2676 Nbmaon32.exe 1340 Neknki32.exe 2864 Nhjjgd32.exe 1964 Njhfcp32.exe 2516 Nmfbpk32.exe 1072 Nenkqi32.exe 2020 Nhlgmd32.exe 2024 Nfoghakb.exe 1076 Onfoin32.exe 1208 Oadkej32.exe 1952 Ohncbdbd.exe 808 Ojmpooah.exe 2208 Omklkkpl.exe 1788 Oaghki32.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 e4b61ee08d50aebb3cfe0a03e6559e80N.exe 2108 e4b61ee08d50aebb3cfe0a03e6559e80N.exe 3052 Fncpef32.exe 3052 Fncpef32.exe 2280 Fnflke32.exe 2280 Fnflke32.exe 2760 Fogibnha.exe 2760 Fogibnha.exe 2772 Fhomkcoa.exe 2772 Fhomkcoa.exe 2924 Gfejjgli.exe 2924 Gfejjgli.exe 1900 Gdhkfd32.exe 1900 Gdhkfd32.exe 1736 Gqahqd32.exe 1736 Gqahqd32.exe 2192 Gkglnm32.exe 2192 Gkglnm32.exe 1476 Gneijien.exe 1476 Gneijien.exe 1892 Hcgjmo32.exe 1892 Hcgjmo32.exe 1440 Hcigco32.exe 1440 Hcigco32.exe 1972 Hlgimqhf.exe 1972 Hlgimqhf.exe 2448 Iliebpfc.exe 2448 Iliebpfc.exe 2184 Iakgefqe.exe 2184 Iakgefqe.exe 584 Iefcfe32.exe 584 Iefcfe32.exe 1068 Jliaac32.exe 1068 Jliaac32.exe 2064 Jdpjba32.exe 2064 Jdpjba32.exe 1544 Jfofol32.exe 1544 Jfofol32.exe 612 Jhdlad32.exe 612 Jhdlad32.exe 2296 Jkchmo32.exe 2296 Jkchmo32.exe 772 Jampjian.exe 772 Jampjian.exe 2116 Jehlkhig.exe 2116 Jehlkhig.exe 2316 Khghgchk.exe 2316 Khghgchk.exe 2056 Kjmnjkjd.exe 2056 Kjmnjkjd.exe 1596 Kpgffe32.exe 1596 Kpgffe32.exe 2884 Kcecbq32.exe 2884 Kcecbq32.exe 2904 Kpicle32.exe 2904 Kpicle32.exe 2052 Llbqfe32.exe 2052 Llbqfe32.exe 2532 Lboiol32.exe 2532 Lboiol32.exe 2684 Ljfapjbi.exe 2684 Ljfapjbi.exe 1800 Lhiakf32.exe 1800 Lhiakf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hjlbdc32.exe Hbdjcffd.exe File opened for modification C:\Windows\SysWOW64\Hjlbdc32.exe Hbdjcffd.exe File opened for modification C:\Windows\SysWOW64\Jpjifjdg.exe Jipaip32.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Cfkloq32.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jggoqimd.exe File opened for modification C:\Windows\SysWOW64\Mdadjd32.exe Mnglnj32.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Mloiec32.exe File opened for modification C:\Windows\SysWOW64\Mblbnj32.exe Mqjefamk.exe File created C:\Windows\SysWOW64\Khldkllj.exe Kablnadm.exe File created C:\Windows\SysWOW64\Dhckfkbh.exe Dipjkn32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bjpaop32.exe File created C:\Windows\SysWOW64\Opilhdhd.dll Phfoee32.exe File opened for modification C:\Windows\SysWOW64\Jfmkbebl.exe Japciodd.exe File opened for modification C:\Windows\SysWOW64\Olebgfao.exe Oiffkkbk.exe File opened for modification C:\Windows\SysWOW64\Ekkjheja.exe Egonhf32.exe File created C:\Windows\SysWOW64\Piliii32.exe Phklaacg.exe File created C:\Windows\SysWOW64\Dombicdm.dll Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Oajndh32.exe File created C:\Windows\SysWOW64\Njfjnpgp.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Hlekjpbi.dll Khldkllj.exe File created C:\Windows\SysWOW64\Hlklph32.dll Peefcjlg.exe File created C:\Windows\SysWOW64\Ehnjfg32.dll Imjkpb32.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe Omnipjni.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Aficjnpm.exe File created C:\Windows\SysWOW64\Ipomlm32.exe Imaapa32.exe File created C:\Windows\SysWOW64\Kindeddf.exe Kcdlhj32.exe File created C:\Windows\SysWOW64\Lndglp32.dll Nlilqbgp.exe File opened for modification C:\Windows\SysWOW64\Ibcphc32.exe Ikjhki32.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Gjbpne32.exe Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Ahmefdcp.exe Qmhahkdj.exe File created C:\Windows\SysWOW64\Icblnd32.dll Nnoiio32.exe File opened for modification C:\Windows\SysWOW64\Adnpkjde.exe Abpcooea.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Cfhkhd32.exe File created C:\Windows\SysWOW64\Kjmnjkjd.exe Khghgchk.exe File created C:\Windows\SysWOW64\Noockemb.dll Lkdjglfo.exe File opened for modification C:\Windows\SysWOW64\Ahpbkd32.exe Aphjjf32.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Fefqdl32.exe File created C:\Windows\SysWOW64\Qlfgce32.dll Nedhjj32.exe File created C:\Windows\SysWOW64\Nhjjgd32.exe Neknki32.exe File created C:\Windows\SysWOW64\Liipnb32.exe Lhiddoph.exe File created C:\Windows\SysWOW64\Hlmgamof.dll Jdpjba32.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Bkhhhd32.exe File created C:\Windows\SysWOW64\Hehiqh32.dll Hfbcidmk.exe File opened for modification C:\Windows\SysWOW64\Oiffkkbk.exe Oekjjl32.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qjklenpa.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bgoime32.exe File created C:\Windows\SysWOW64\Ihkhkcdl.dll Bmlael32.exe File created C:\Windows\SysWOW64\Iliebpfc.exe Hlgimqhf.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Lboiol32.exe File opened for modification C:\Windows\SysWOW64\Agihgp32.exe Apppkekc.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe e4b61ee08d50aebb3cfe0a03e6559e80N.exe File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe Phqmgg32.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Akfkbd32.exe File created C:\Windows\SysWOW64\Phfoee32.exe Pehcij32.exe File created C:\Windows\SysWOW64\Keppajog.dll Iamfdo32.exe File created C:\Windows\SysWOW64\Khghgchk.exe Jehlkhig.exe File opened for modification C:\Windows\SysWOW64\Jmfcop32.exe Jfmkbebl.exe File opened for modification C:\Windows\SysWOW64\Fdqnkoep.exe Fennoa32.exe File opened for modification C:\Windows\SysWOW64\Kpafapbk.exe Kmcjedcg.exe File created C:\Windows\SysWOW64\Aognbnkm.exe Ahmefdcp.exe File created C:\Windows\SysWOW64\Jbbobb32.dll Mcckcbgp.exe File created C:\Windows\SysWOW64\Imafcg32.dll Alihaioe.exe File opened for modification C:\Windows\SysWOW64\Jfieigio.exe Ipomlm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5364 5680 WerFault.exe 574 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqdfehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhifooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbnjjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glklejoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpohakbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciagojda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkqlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfbnddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domccejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbpne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjkeoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdgmimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdcllpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcadghnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfbbjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll" Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gghmmilh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllchm32.dll" Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkclikh.dll" Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" Fkcilc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcajhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippbdn32.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfiema32.dll" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padqpaec.dll" Gkmbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccqhkcib.dll" Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkmlb32.dll" Gpjkeoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpcmgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioljfll.dll" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbnphngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apkgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogcf32.dll" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikjhki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeomgho.dll" Nnmlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgqkbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmegjdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnnpb32.dll" Flocfmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdmepgce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neknki32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 3052 2108 e4b61ee08d50aebb3cfe0a03e6559e80N.exe 30 PID 2108 wrote to memory of 3052 2108 e4b61ee08d50aebb3cfe0a03e6559e80N.exe 30 PID 2108 wrote to memory of 3052 2108 e4b61ee08d50aebb3cfe0a03e6559e80N.exe 30 PID 2108 wrote to memory of 3052 2108 e4b61ee08d50aebb3cfe0a03e6559e80N.exe 30 PID 3052 wrote to memory of 2280 3052 Fncpef32.exe 31 PID 3052 wrote to memory of 2280 3052 Fncpef32.exe 31 PID 3052 wrote to memory of 2280 3052 Fncpef32.exe 31 PID 3052 wrote to memory of 2280 3052 Fncpef32.exe 31 PID 2280 wrote to memory of 2760 2280 Fnflke32.exe 32 PID 2280 wrote to memory of 2760 2280 Fnflke32.exe 32 PID 2280 wrote to memory of 2760 2280 Fnflke32.exe 32 PID 2280 wrote to memory of 2760 2280 Fnflke32.exe 32 PID 2760 wrote to memory of 2772 2760 Fogibnha.exe 33 PID 2760 wrote to memory of 2772 2760 Fogibnha.exe 33 PID 2760 wrote to memory of 2772 2760 Fogibnha.exe 33 PID 2760 wrote to memory of 2772 2760 Fogibnha.exe 33 PID 2772 wrote to memory of 2924 2772 Fhomkcoa.exe 34 PID 2772 wrote to memory of 2924 2772 Fhomkcoa.exe 34 PID 2772 wrote to memory of 2924 2772 Fhomkcoa.exe 34 PID 2772 wrote to memory of 2924 2772 Fhomkcoa.exe 34 PID 2924 wrote to memory of 1900 2924 Gfejjgli.exe 35 PID 2924 wrote to memory of 1900 2924 Gfejjgli.exe 35 PID 2924 wrote to memory of 1900 2924 Gfejjgli.exe 35 PID 2924 wrote to memory of 1900 2924 Gfejjgli.exe 35 PID 1900 wrote to memory of 1736 1900 Gdhkfd32.exe 36 PID 1900 wrote to memory of 1736 1900 Gdhkfd32.exe 36 PID 1900 wrote to memory of 1736 1900 Gdhkfd32.exe 36 PID 1900 wrote to memory of 1736 1900 Gdhkfd32.exe 36 PID 1736 wrote to memory of 2192 1736 Gqahqd32.exe 37 PID 1736 wrote to memory of 2192 1736 Gqahqd32.exe 37 PID 1736 wrote to memory of 2192 1736 Gqahqd32.exe 37 PID 1736 wrote to memory of 2192 1736 Gqahqd32.exe 37 PID 2192 wrote to memory of 1476 2192 Gkglnm32.exe 38 PID 2192 wrote to memory of 1476 2192 Gkglnm32.exe 38 PID 2192 wrote to memory of 1476 2192 Gkglnm32.exe 38 PID 2192 wrote to memory of 1476 2192 Gkglnm32.exe 38 PID 1476 wrote to memory of 1892 1476 Gneijien.exe 39 PID 1476 wrote to memory of 1892 1476 Gneijien.exe 39 PID 1476 wrote to memory of 1892 1476 Gneijien.exe 39 PID 1476 wrote to memory of 1892 1476 Gneijien.exe 39 PID 1892 wrote to memory of 1440 1892 Hcgjmo32.exe 40 PID 1892 wrote to memory of 1440 1892 Hcgjmo32.exe 40 PID 1892 wrote to memory of 1440 1892 Hcgjmo32.exe 40 PID 1892 wrote to memory of 1440 1892 Hcgjmo32.exe 40 PID 1440 wrote to memory of 1972 1440 Hcigco32.exe 41 PID 1440 wrote to memory of 1972 1440 Hcigco32.exe 41 PID 1440 wrote to memory of 1972 1440 Hcigco32.exe 41 PID 1440 wrote to memory of 1972 1440 Hcigco32.exe 41 PID 1972 wrote to memory of 2448 1972 Hlgimqhf.exe 42 PID 1972 wrote to memory of 2448 1972 Hlgimqhf.exe 42 PID 1972 wrote to memory of 2448 1972 Hlgimqhf.exe 42 PID 1972 wrote to memory of 2448 1972 Hlgimqhf.exe 42 PID 2448 wrote to memory of 2184 2448 Iliebpfc.exe 43 PID 2448 wrote to memory of 2184 2448 Iliebpfc.exe 43 PID 2448 wrote to memory of 2184 2448 Iliebpfc.exe 43 PID 2448 wrote to memory of 2184 2448 Iliebpfc.exe 43 PID 2184 wrote to memory of 584 2184 Iakgefqe.exe 44 PID 2184 wrote to memory of 584 2184 Iakgefqe.exe 44 PID 2184 wrote to memory of 584 2184 Iakgefqe.exe 44 PID 2184 wrote to memory of 584 2184 Iakgefqe.exe 44 PID 584 wrote to memory of 1068 584 Iefcfe32.exe 45 PID 584 wrote to memory of 1068 584 Iefcfe32.exe 45 PID 584 wrote to memory of 1068 584 Iefcfe32.exe 45 PID 584 wrote to memory of 1068 584 Iefcfe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b61ee08d50aebb3cfe0a03e6559e80N.exe"C:\Users\Admin\AppData\Local\Temp\e4b61ee08d50aebb3cfe0a03e6559e80N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe36⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe37⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe39⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe40⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe41⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe44⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe45⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe47⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe48⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe52⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe53⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe60⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe61⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe62⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe63⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe64⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe65⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe66⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe67⤵PID:3064
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe69⤵PID:2900
-
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe71⤵PID:2644
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe72⤵PID:2640
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe73⤵PID:2268
-
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe74⤵PID:2544
-
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe77⤵PID:1332
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe78⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe79⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe80⤵PID:2508
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe81⤵PID:2256
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe82⤵PID:1560
-
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe84⤵PID:1872
-
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe85⤵PID:316
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe86⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe87⤵PID:880
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe88⤵PID:2040
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe89⤵PID:1576
-
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe90⤵PID:1124
-
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe92⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe93⤵PID:2360
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe94⤵PID:1944
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe96⤵PID:672
-
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe97⤵PID:348
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe98⤵PID:2716
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe99⤵PID:2352
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe100⤵PID:2576
-
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe101⤵PID:1904
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe102⤵PID:2620
-
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe103⤵PID:1564
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe104⤵PID:2504
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe106⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe107⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe108⤵PID:1588
-
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe109⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe110⤵PID:2168
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe111⤵PID:2632
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe112⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe114⤵PID:812
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe115⤵PID:2348
-
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe116⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe117⤵PID:2264
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe118⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe119⤵PID:2372
-
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe120⤵PID:2624
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-